CVE-2021-36753 in BATinfo

Summary

by MITRE • 07/16/2021

sharkdp BAT before 0.18.2 executes less.exe from the current working directory.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/19/2021

The vulnerability identified as CVE-2021-36753 affects the bat utility version 0.18.1 and earlier, representing a significant security flaw in how the tool handles external command execution. This issue stems from bat's improper handling of the less.exe binary execution path, which allows for potential privilege escalation and code execution attacks. The vulnerability specifically targets the utility's reliance on the system PATH environment variable without proper validation of the binary location, creating an exploitable condition that could be leveraged by malicious actors.

The technical flaw resides in bat's implementation where it attempts to execute less.exe without explicitly specifying the full path to the binary. This behavior creates a path traversal vulnerability that allows attackers to place a malicious less.exe binary in the current working directory, which then gets executed instead of the legitimate system version. The vulnerability is classified under CWE-426 as an Untrusted Search Path, where the application searches for executables in directories that could be manipulated by an attacker. This type of vulnerability is particularly dangerous because it can be exploited through simple directory manipulation or symbolic link creation in the working directory.

The operational impact of this vulnerability extends beyond simple command execution, as it can be exploited in various attack scenarios including privilege escalation, code injection, and remote execution. When bat is executed in a directory controlled by an attacker, the malicious less.exe binary can execute arbitrary code with the privileges of the user running bat. This creates a potential vector for attackers to gain unauthorized access to systems, escalate privileges, or establish persistent backdoors. The vulnerability is particularly concerning in environments where bat is used with elevated privileges or in automated scripts that might execute in untrusted directories.

Mitigation strategies for this vulnerability require immediate patching of bat to version 0.18.2 or later, which addresses the path traversal issue by implementing proper binary path resolution. Organizations should also implement strict directory permissions and access controls to prevent unauthorized modifications to working directories where bat might be executed. Additionally, security teams should consider implementing application whitelisting policies that restrict execution of binaries from untrusted locations. The ATT&CK framework categorizes this vulnerability under T1059.001 for Command and Scripting Interpreter and T1546.008 for Steal or Modify Tools, emphasizing the need for comprehensive monitoring and prevention measures. System administrators should also conduct regular security audits to identify and remediate similar path traversal vulnerabilities in other applications, as this represents a common class of security flaws in software utilities that execute external processes.

Reservation

07/15/2021

Disclosure

07/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00356

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!